- Newest
- Most votes
- Most comments
- If you employ browsers, No action needed.
common trust stores such as Mozilla trust store, common platforms such as latest Android, Apple, Microsoft, or Chromium versions, you will not be impacted from this change.
- If you or your end customers have customized your TLS-initiating application to only trust Starfield C2, you will need to update your trust stores to trust all Amazon CAs [1] instead.
Such applications will otherwise fail to initiate a TLS connection when it encounters the latest Amazon certificate without C2. We continue to cross sign Amazon CAs with Starfield G2 which is owned by Amazon. All popular public browsers and platforms such as Mozilla, Chrome, Windows, Android contain the Amazon and Starfield G2 that we chain up to in our certificates.
As a best practice, it is also strongly recommended to not pin your trust to a certificate that you don’t completely own such as certificates for AWS service API endpoints. You can read OWASP guidance on certificate pinning [3] [4].
[1] https://www.amazontrust.com/repository/
[2] https://aws.amazon.com/blogs/security/acm-will-no-longer-cross-sign-certificates-with-starfield-class-2-starting-august-2024/
[3] https://wiki.mozilla.org/CA/Root_CA_Lifecycles
[4] https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning
Relevant content
- asked 3 months ago
- AWS ICA Change - Will our Leaf Certificates be automatically renewed and will the public key change?Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago